LibTIFF tiff2pdf buffer overflow

libtiff-tiff2pdf-bo (26991) The risk level is classified as HighHigh Risk

Description:

LibTIFF is vulnerable to a stack-based buffer overflow in the tiff2pdf module. By creating a malicious TIFF file with a DocumentName tag containing UTF-8 encoded characters, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service, once a victim processes the malicious TIFF file.


Consequences:

Gain Access

Remedy:

For Debian GNU/Linux:
Refer to DSA-1091-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-07-03 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References:

  • Debian Bug report logs - #370355: libtiff-tools: tiff2pdf segfault.
  • LibTIFF Web page: LibTIFF - TIFF Library and Utilities.
  • RemoteSensing Bugzilla Bug 1196: tiff2pdf dumps core when DocumentName contains UTF-8.
  • Sun Alert ID: 103099: Multiple Security Vulnerabilities in the Solaris Tag Image File Format Library libtiff(3).
  • Sun Alert ID: 103160: Security Vulnerabilities in libtiff(3) May Allow Denial of Service (DoS) or Privilege Elevation.
  • ASA-2007-440: Multiple Security Vulnerabilities in the Solaris Tag Image File Format Library libtiff(3) (Sun 103099)
  • ASA-2007-509: Security Vulnerabilities in libtiff(3) May Allow Denial of Service (DoS) or Privilege Elevation (Sun 103160)
  • ASA-2008-374: libtiff security and bug fix update (RHSA-2008-0848)
  • BID-18331: LibTIFF tiff2pdf Remote Buffer Overflow Vulnerability
  • CVE-2006-2193: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
  • DSA-1091: tiff -- buffer overflows
  • GLSA-200607-03: libTIFF: Multiple buffer overflows
  • MDKSA-2006:102: Updated libtiff packages fixes tiff2pdf vulnerability
  • RHSA-2008-0848: Important: libtiff security and bug fix update
  • SA20488: LibTIFF tiff2pdf Buffer Overflow Vulnerability
  • SA27181: Sun Solaris libtiff Multiple Vulnerabilities
  • SA27222: Sun Solaris libtiff Multiple Vulnerabilities
  • SA27832: Sun Solaris libTIFF Multiple Vulnerabilities
  • SUSE-SR:2006:014: SUSE Security Summary Report
  • USN-289-1: tiff vulnerabilities
  • VUPEN/ADV-2006-2197: LibTIFF tiff2pdf and tiffsplit File Handling Buffer Overflow Vulnerabilities
  • VUPEN/ADV-2007-3486: Sun Solaris libTIFF Multiple Code Execution and Denial of Service Issues
  • VUPEN/ADV-2007-4034: Sun Solaris libTIFF Multiple Code Execution and Denial of Service Issues

Platforms Affected:

  • Canonical Ubuntu 5.04
  • Canonical Ubuntu 5.10
  • Canonical Ubuntu 6.06 LTS
  • Debian Debian Linux 3.0
  • Debian Debian Linux 3.1
  • Gentoo Linux
  • MandrakeSoft Mandrake Linux 2006
  • MandrakeSoft Mandrake Linux 2006 X86_64
  • MandrakeSoft Mandrake Linux LE2005
  • MandrakeSoft Mandrake Linux LE2005 X86_64
  • RedHat Enterprise Linux 4 Desktop
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 ES
  • RedHat Enterprise Linux 4 WS
  • RedHat Enterprise Linux 4.7.z AS
  • RedHat Red Hat Enterprise Linux 4.7.z ES
  • Sam Leffler LibTIFF 3.8.2
  • Sun Solaris 10 SPARC
  • Sun Solaris 10 x86
  • Sun Solaris 8 x86
  • Sun Solaris 8 SPARC
  • Sun Solaris 9 SPARC
  • Sun Solaris 9 x86

Reported:

Jun 04, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page